From 0bdb18e0fb443e1ddc479418fe5caea10687e864 Mon Sep 17 00:00:00 2001 From: Daemonslayer2048 Date: Thu, 24 Aug 2023 18:34:54 -0500 Subject: [PATCH 1/8] Convert all collections to full FQCN --- roles/rke2_agent/tasks/main.yml | 12 ++-- .../tasks/add-audit-policy-config.yml | 4 +- .../rke2_common/tasks/add-manifest-addons.yml | 2 +- .../rke2_common/tasks/add-registry-config.yml | 6 +- roles/rke2_common/tasks/cis-hardening.yml | 14 ++--- roles/rke2_common/tasks/config.yml | 60 +++++++++---------- .../tasks/images_tarball_install.yml | 8 +-- roles/rke2_common/tasks/iptables_rules.yml | 30 +++++----- roles/rke2_common/tasks/main.yml | 32 +++++----- .../tasks/network_manager_fix.yaml | 12 ++-- roles/rke2_common/tasks/previous_install.yml | 6 +- roles/rke2_common/tasks/rpm_install.yml | 40 +++++++------ roles/rke2_common/tasks/tarball_install.yml | 42 ++++++------- roles/rke2_server/tasks/first_server.yml | 18 +++--- roles/rke2_server/tasks/main.yml | 6 +- roles/rke2_server/tasks/other_servers.yml | 18 +++--- 16 files changed, 156 insertions(+), 154 deletions(-) diff --git a/roles/rke2_agent/tasks/main.yml b/roles/rke2_agent/tasks/main.yml index df5faa42..07654f83 100644 --- a/roles/rke2_agent/tasks/main.yml +++ b/roles/rke2_agent/tasks/main.yml @@ -3,18 +3,18 @@ - name: RKE2 agent and server tasks vars: caller_role_name: agent - include_role: + ansible.builtin.include_role: name: rke2_common tasks_from: main - name: Does config file already have server token? # noqa command-instead-of-shell - command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' + ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' register: server_token_check failed_when: server_token_check.rc >= 2 changed_when: false - name: Add token to config.yaml - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rancher/rke2/config.yaml line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}" state: present @@ -23,13 +23,13 @@ - '"token:" not in server_token_check.stdout' - name: Does config file already have server url? # noqa command-instead-of-shell - command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' + ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' register: server_url_check failed_when: server_url_check.rc >= 2 changed_when: false - name: Add server url to config file - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rancher/rke2/config.yaml line: "server: https://{{ kubernetes_api_server_host }}:9345" state: present @@ -38,7 +38,7 @@ - '"server:" not in server_url_check.stdout' - name: Start rke2-agent - systemd: + ansible.builtin.systemd: name: rke2-agent.service state: started enabled: yes diff --git a/roles/rke2_common/tasks/add-audit-policy-config.yml b/roles/rke2_common/tasks/add-audit-policy-config.yml index b4b49f81..66bb82ae 100644 --- a/roles/rke2_common/tasks/add-audit-policy-config.yml +++ b/roles/rke2_common/tasks/add-audit-policy-config.yml @@ -1,12 +1,12 @@ --- - name: Create the /etc/rancher/rke2 config dir - file: + ansible.builtin.file: path: /etc/rancher/rke2 state: directory recurse: yes - name: Add audit policy configuration file - copy: + ansible.builtin.copy: src: "{{ audit_policy_config_file_path }}" dest: "/etc/rancher/rke2/audit-policy.yaml" mode: '0640' diff --git a/roles/rke2_common/tasks/add-manifest-addons.yml b/roles/rke2_common/tasks/add-manifest-addons.yml index fc43461e..a7524f1b 100644 --- a/roles/rke2_common/tasks/add-manifest-addons.yml +++ b/roles/rke2_common/tasks/add-manifest-addons.yml @@ -1,7 +1,7 @@ --- - name: Add manifest addons files - copy: + ansible.builtin.copy: src: "{{ manifest_config_file_path }}" dest: "/var/lib/rancher/rke2/server/manifests/" mode: '0640' diff --git a/roles/rke2_common/tasks/add-registry-config.yml b/roles/rke2_common/tasks/add-registry-config.yml index b4579ae9..9af0add6 100644 --- a/roles/rke2_common/tasks/add-registry-config.yml +++ b/roles/rke2_common/tasks/add-registry-config.yml @@ -1,12 +1,12 @@ --- - name: Create the /etc/rancher/rke2 config dir - file: + ansible.builtin.file: path: /etc/rancher/rke2 state: directory recurse: yes - name: Add registry configuration file - copy: + ansible.builtin.copy: src: "{{ registry_config_file_path }}" dest: "/etc/rancher/rke2/registries.yaml" mode: '0640' @@ -16,7 +16,7 @@ notify: Restart rke2-server - name: Add registry configuration file - copy: + ansible.builtin.copy: src: "{{ registry_config_file_path }}" dest: "/etc/rancher/rke2/registries.yaml" mode: '0640' diff --git a/roles/rke2_common/tasks/cis-hardening.yml b/roles/rke2_common/tasks/cis-hardening.yml index fd48e638..13d2b58b 100644 --- a/roles/rke2_common/tasks/cis-hardening.yml +++ b/roles/rke2_common/tasks/cis-hardening.yml @@ -5,22 +5,22 @@ block: - name: Create etcd group - group: + ansible.builtin.group: name: etcd state: present - name: Create etcd user - user: + ansible.builtin.user: name: etcd comment: etcd user shell: /bin/nologin group: etcd - name: Copy systemctl file for kernel hardening for yum installs - copy: + ansible.builtin.copy: src: /usr/share/rke2/rke2-cis-sysctl.conf dest: /etc/sysctl.d/60-rke2-cis.conf - remote_src: yes + remote_src: true mode: 0600 register: sysctl_operation_yum when: @@ -28,7 +28,7 @@ - not rke2_binary_tarball_check.stat.exists - name: Copy systemctl file for kernel hardening for non-yum installs - copy: + ansible.builtin.copy: src: /usr/local/share/rke2/rke2-cis-sysctl.conf dest: /etc/sysctl.d/60-rke2-cis.conf remote_src: yes @@ -40,12 +40,12 @@ rke2_binary_tarball_check.stat.exists - name: Restart systemd-sysctl - service: + ansible.builtin.service: state: restarted name: systemd-sysctl when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed - name: Reboot the machine (Wait for 5 min) - reboot: + ansible.builtin.reboot: reboot_timeout: 300 when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed diff --git a/roles/rke2_common/tasks/config.yml b/roles/rke2_common/tasks/config.yml index 4a9f0b48..8a67ae26 100644 --- a/roles/rke2_common/tasks/config.yml +++ b/roles/rke2_common/tasks/config.yml @@ -1,34 +1,34 @@ --- - name: Does the /etc/rancher/rke2 dir exist? - stat: + ansible.builtin.stat: path: /etc/rancher/rke2 register: rke2_directory - name: Create the /etc/rancher/rke2 config dir - file: + ansible.builtin.file: path: /etc/rancher/rke2 state: directory recurse: yes when: not rke2_directory.stat.exists - name: Does the /etc/rancher/rke2/config.yaml file exist? - stat: + ansible.builtin.stat: path: /etc/rancher/rke2/config.yaml register: previous_rke2_config - name: Read previous_rke2_config - slurp: + ansible.builtin.slurp: src: /etc/rancher/rke2/config.yaml register: full_orig_rke2_config when: previous_rke2_config.stat.exists - name: Decode contents of slurp - set_fact: + ansible.builtin.set_fact: orig_rke2_config: "{{ full_orig_rke2_config['content'] | b64decode }}" when: previous_rke2_config.stat.exists - name: Create the /etc/rancher/rke2/config.yaml file - file: + ansible.builtin.file: path: /etc/rancher/rke2/config.yaml state: touch mode: "0640" @@ -39,15 +39,15 @@ # --node-label value (agent/node) Registering and starting kubelet with set of labels - name: Get rke2_config node-labels - set_fact: + ansible.builtin.set_fact: rke2_config_node_labels: "{{ rke2_config['node-label'] | default([]) }}" - name: Get host var node-labels - set_fact: + ansible.builtin.set_fact: host_var_node_labels: "{{ node_labels | default([]) }}" - name: Combine rke2_config node labels and hostvar node labels - set_fact: + ansible.builtin.set_fact: all_node_labels: "{{ rke2_config_node_labels + host_var_node_labels }}" changed_when: false @@ -60,21 +60,21 @@ changed_when: false - name: Update rke2_config to take value of updated_rke2_config - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" changed_when: false # --node-taint value (agent/node) Registering kubelet with set of taints - name: Get rke2_config node-taints - set_fact: + ansible.builtin.set_fact: rke2_config_node_taints: "{{ rke2_config['node-taint'] | default([]) }}" - name: Get host var node-taints - set_fact: + ansible.builtin.set_fact: host_var_node_taints: "{{ node_taints | default([]) }}" - name: Combine rke2_config node taints and hostvar node taints - set_fact: + ansible.builtin.set_fact: all_node_taints: "{{ rke2_config_node_taints + host_var_node_taints }}" changed_when: false @@ -87,7 +87,7 @@ changed_when: false - name: Update rke2_config to take value of updated_rke2_config - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" changed_when: false @@ -102,7 +102,7 @@ changed_when: false - name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" when: (node_ip is defined) and (node_ip|length > 0) changed_when: false @@ -118,7 +118,7 @@ changed_when: false - name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" when: (node_name is defined) and (node_name|length > 0) changed_when: false @@ -134,7 +134,7 @@ changed_when: false - name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" when: (bind_address is defined) and (bind_address|length > 0) changed_when: false @@ -151,7 +151,7 @@ changed_when: false - name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" when: (advertise_address is defined) and (advertise_address|length > 0) changed_when: false @@ -167,7 +167,7 @@ changed_when: false - name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" when: (node_external_ip is defined) and (node_external_ip|length > 0) changed_when: false @@ -182,7 +182,7 @@ register: updated_rke2_config - name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - set_fact: + ansible.builtin.set_fact: rke2_config: "{{ updated_rke2_config.rke2_config }}" when: (cloud_provider_name is defined) and (cloud_provider_name|length > 0) @@ -193,7 +193,7 @@ changed_when: false - name: Create tmp config.yaml - copy: + ansible.builtin.copy: content: "{{ rke2_config | to_nice_yaml(indent=0) }}" dest: /tmp/ansible-config.txt mode: "0600" @@ -202,13 +202,13 @@ changed_when: false - name: Get original token - set_fact: + ansible.builtin.set_fact: original_token: "{{ orig_rke2_config | regex_search('token: (.+)') }}" when: previous_rke2_config.stat.exists changed_when: false - name: Add token to config.yaml - lineinfile: + ansible.builtin.lineinfile: dest: /tmp/ansible-config.txt line: "{{ original_token }}" state: present @@ -217,13 +217,13 @@ changed_when: false - name: Get original server - set_fact: + ansible.builtin.set_fact: original_server: "{{ orig_rke2_config | regex_search('server: https://(.*):9345') }}" when: previous_rke2_config.stat.exists changed_when: false - name: Add server url to config file - lineinfile: + ansible.builtin.lineinfile: dest: /tmp/ansible-config.txt line: "{{ original_server }}" state: present @@ -232,18 +232,18 @@ changed_when: false - name: Stat tmp config - stat: + ansible.builtin.stat: path: /tmp/ansible-config.txt register: tmp_config changed_when: false - name: Get cksum of tmp config - set_fact: + ansible.builtin.set_fact: tmp_sha1: "{{ tmp_config.stat.checksum }}" changed_when: false - name: Drop in final /etc/rancher/rke2/config.yaml - copy: + ansible.builtin.copy: src: /tmp/ansible-config.txt remote_src: yes dest: /etc/rancher/rke2/config.yaml @@ -260,7 +260,7 @@ changed_when: false - name: Restart rke2-server if package installed and config changed - service: + ansible.builtin.service: state: restarted name: rke2-server when: @@ -269,7 +269,7 @@ - tmp_sha1 != previous_rke2_config.stat.checksum - name: Restart rke2-agent if package installed and config changed - service: + ansible.builtin.service: state: restarted name: rke2-agent when: diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2_common/tasks/images_tarball_install.yml index a166c687..4942ac2a 100644 --- a/roles/rke2_common/tasks/images_tarball_install.yml +++ b/roles/rke2_common/tasks/images_tarball_install.yml @@ -1,6 +1,6 @@ --- - name: "Check for images tar.gz in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" # noqa name[template] yaml[line-length] - stat: + ansible.builtin.stat: path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" get_checksum: false register: got_images_gz @@ -8,7 +8,7 @@ become: false - name: "Check for images tar.zst in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" # noqa name[template] yaml[line-length] - stat: + ansible.builtin.stat: path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" get_checksum: false register: got_images_zst @@ -16,14 +16,14 @@ become: false - name: Add images tar.gz to needed directory if provided - copy: + ansible.builtin.copy: src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" dest: /var/lib/rancher/rke2/agent/images/ mode: '0644' when: got_images_gz.stat.exists - name: Add images tar.zst to needed directory if provided - copy: + ansible.builtin.copy: src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" dest: /var/lib/rancher/rke2/agent/images/ mode: '0644' diff --git a/roles/rke2_common/tasks/iptables_rules.yml b/roles/rke2_common/tasks/iptables_rules.yml index 8f0fbed1..9b0bb05c 100644 --- a/roles/rke2_common/tasks/iptables_rules.yml +++ b/roles/rke2_common/tasks/iptables_rules.yml @@ -1,7 +1,7 @@ --- - name: Allow 9345 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: tcp @@ -11,7 +11,7 @@ when: inventory_hostname in groups['rke2_servers'] - name: Allow 6443 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: tcp @@ -21,7 +21,7 @@ when: inventory_hostname in groups['rke2_servers'] - name: Allow udp 8472 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: udp @@ -30,7 +30,7 @@ jump: ACCEPT - name: Allow 10250 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: tcp @@ -39,7 +39,7 @@ jump: ACCEPT - name: Allow 2379 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: tcp @@ -49,7 +49,7 @@ when: inventory_hostname in groups['rke2_servers'] - name: Allow 2380 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: tcp @@ -59,7 +59,7 @@ when: inventory_hostname in groups['rke2_servers'] - name: Allow 30000:32767 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: tcp @@ -68,7 +68,7 @@ jump: ACCEPT - name: Allow 443 - iptables: + ansible.builtin.iptables: action: insert chain: INPUT protocol: tcp @@ -77,47 +77,47 @@ jump: ACCEPT - name: "Allow cluster-cidr forward" - iptables: + ansible.builtin.iptables: action: insert chain: FORWARD source: '{{ rke2_config["cluster-cidr"] | default("10.42.0.0/16") | string }}' jump: ACCEPT - name: "Allow cluster-cidr forward" - iptables: + ansible.builtin.iptables: action: insert chain: FORWARD destination: '{{ rke2_config["cluster-cidr"] | default("10.42.0.0/16") | string }}' jump: ACCEPT - name: "Allow cluster-cidr input" - iptables: + ansible.builtin.iptables: action: insert chain: INPUT source: '{{ rke2_config["cluster-cidr"] | default("10.42.0.0/16") | string }}' jump: ACCEPT - name: "Allow cluster-cidr input" - iptables: + ansible.builtin.iptables: action: insert chain: INPUT destination: '{{ rke2_config["cluster-cidr"] | default("10.42.0.0/16") | string }}' jump: ACCEPT - name: Save iptables - shell: "iptables-save > /etc/sysconfig/iptables" + ansible.builtin.shell: "iptables-save > /etc/sysconfig/iptables" become: true changed_when: false when: ansible_facts['os_family'] == 'RedHat' - name: Install iptables-persistent - apt: + ansible.builtin.apt: name: iptables-persistent state: present when: ansible_facts['os_family'] == 'Debian' - name: Save iptables - shell: "iptables-save > /etc/iptables/rules.v4" + ansible.builtin.shell: "iptables-save > /etc/iptables/rules.v4" become: true changed_when: false when: ansible_facts['os_family'] == 'Debian' diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml index f3bda769..0ee10852 100644 --- a/roles/rke2_common/tasks/main.yml +++ b/roles/rke2_common/tasks/main.yml @@ -1,28 +1,28 @@ --- - name: Populate service facts - service_facts: {} + ansible.builtin.service_facts: {} - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto - name: Has rke2 been installed already - include_tasks: previous_install.yml + ansible.builtin.include_tasks: previous_install.yml - name: Include images_tarball_install.yml - include_tasks: images_tarball_install.yml + ansible.builtin.include_tasks: images_tarball_install.yml when: not installed - name: "Check for binary tarball in {{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" # noqa name[template] - stat: + ansible.builtin.stat: path: "{{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" register: rke2_binary_tarball_check delegate_to: 127.0.0.1 become: no - name: SLES/Ubuntu/Tarball Installation - include_tasks: tarball_install.yml + ansible.builtin.include_tasks: tarball_install.yml when: - |- ((ansible_facts['os_family'] != 'RedHat' and @@ -37,22 +37,22 @@ block: - name: Install redhat-lsb-core when: "'redhat-lsb-core' not in ansible_facts.packages" - yum: + ansible.builtin.yum: name: redhat-lsb-core state: present - name: Reread ansible_lsb facts when: "'redhat-lsb-core' not in ansible_facts.packages" - setup: + ansible.builtin.setup: filter: ansible_lsb* - name: Include task file rpm_install.yml - include_tasks: rpm_install.yml + ansible.builtin.include_tasks: rpm_install.yml # Disable Firewalld # We recommend disabling firewalld. For Kubernetes 1.19+, firewalld must be turned off. - name: Disable FIREWALLD - systemd: + ansible.builtin.systemd: name: firewalld state: stopped enabled: no @@ -61,27 +61,27 @@ - ansible_facts.services["firewalld.service"].status != "not-found" - name: Include task file network_manager_fix.yaml - include_tasks: network_manager_fix.yaml + ansible.builtin.include_tasks: network_manager_fix.yaml - name: Include task file config.yml - include_tasks: config.yml + ansible.builtin.include_tasks: config.yml - name: Add server iptables rules - include_tasks: iptables_rules.yml + ansible.builtin.include_tasks: iptables_rules.yml when: - ansible_facts.services["iptables.service"] is defined - add_iptables_rules is true - name: Include task file add-audit-policy-config.yml - include_tasks: add-audit-policy-config.yml + ansible.builtin.include_tasks: add-audit-policy-config.yml when: - audit_policy_config_file_path | length > 0 - name: Include task file add-registry-config.yml - include_tasks: add-registry-config.yml + ansible.builtin.include_tasks: add-registry-config.yml when: registry_config_file_path | length > 0 - name: Run CIS-Hardening Tasks - include_role: + ansible.builtin.include_role: name: rke2_common tasks_from: cis-hardening diff --git a/roles/rke2_common/tasks/network_manager_fix.yaml b/roles/rke2_common/tasks/network_manager_fix.yaml index 595ff2c6..b891b61a 100644 --- a/roles/rke2_common/tasks/network_manager_fix.yaml +++ b/roles/rke2_common/tasks/network_manager_fix.yaml @@ -4,7 +4,7 @@ # https://docs.rke2.io/known_issues/#networkmanager - name: Add NetworkManager fix to rke2-canal.conf - blockinfile: + ansible.builtin.blockinfile: path: /etc/NetworkManager/conf.d/rke2-canal.conf block: | [keyfile] @@ -14,12 +14,12 @@ when: ansible_facts.services["NetworkManager.service"] is defined - name: Does rke2-canal.conf exist - stat: + ansible.builtin.stat: path: /etc/NetworkManager/conf.d/rke2-canal.conf register: rke2_canal_file - name: Set rke2-canal.conf file permissions - file: + ansible.builtin.file: path: /etc/NetworkManager/conf.d/rke2-canal.conf mode: '0600' owner: root @@ -27,21 +27,21 @@ when: rke2_canal_file.stat.exists - name: Disable service nm-cloud-setup - systemd: + ansible.builtin.systemd: name: nm-cloud-setup.service enabled: no state: stopped when: ansible_facts.services["nm-cloud-setup.service"] is defined - name: Disable nm-cloud-setup.timer unit - systemd: + ansible.builtin.systemd: name: nm-cloud-setup.timer state: stopped enabled: no when: ansible_facts.services["nm-cloud-setup.service"] is defined - name: Reload NetworkManager - systemd: + ansible.builtin.systemd: name: NetworkManager state: reloaded when: (ansible_facts.services["NetworkManager.service"] is defined) and diff --git a/roles/rke2_common/tasks/previous_install.yml b/roles/rke2_common/tasks/previous_install.yml index ab87b3a3..4ba0e79d 100644 --- a/roles/rke2_common/tasks/previous_install.yml +++ b/roles/rke2_common/tasks/previous_install.yml @@ -1,14 +1,14 @@ --- - name: Check if rke2-server is previously installed - ansible.builtin.debug: + ansible.builtin.ansible.builtin.debug: msg: "rke2-server is already installed. Skipping installation steps." when: > ansible_facts.services["rke2-server.service"] is defined and not ansible_facts.services["rke2-server.service"].status == 'disabled' - name: Set fact if rke2-server was previously installed - set_fact: + ansible.builtin.set_fact: installed: true when: > ansible_facts.services["rke2-server.service"] is defined @@ -22,7 +22,7 @@ and not ansible_facts.services["rke2-agent.service"].status == 'disabled' - name: Set fact if rke2-agent was previously installed - set_fact: + ansible.builtin.set_fact: installed: true when: > ansible_facts.services["rke2-agent.service"] is defined diff --git a/roles/rke2_common/tasks/rpm_install.yml b/roles/rke2_common/tasks/rpm_install.yml index 0f2f3e1e..5732048c 100644 --- a/roles/rke2_common/tasks/rpm_install.yml +++ b/roles/rke2_common/tasks/rpm_install.yml @@ -4,75 +4,77 @@ when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) # noqa var-spacing block: - name: Stop if the provided is not valid - fail: + ansible.builtin.fail: msg: "Provided channel is not valid" when: rke2_channel not in channels - name: Get full version name url - uri: + ansible.builtin.uri: url: https://update.rke2.io/v1-release/channels/{{ rke2_channel }} follow_redirects: all register: rke2_version_url - name: Set full version name - shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' + ansible.builtin.shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' register: rke2_full_version changed_when: false args: executable: /usr/bin/bash - name: Set rke2_full_version fact # noqa var-spacing - set_fact: + ansible.builtin.set_fact: rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or (install_rke2_version|length == 0)) else install_rke2_version }}" # yamllint disable-line rule:line-length - name: Set dot version - shell: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 + ansible.builtin.shell: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 register: rke2_version_dot changed_when: false args: executable: /usr/bin/bash - name: Set rke2_version_dot fact - set_fact: + ansible.builtin.set_fact: rke2_version_dot: "{{ rke2_version_dot.stdout }}" - name: Set Maj.Min version - shell: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" register: rke2_version_majmin changed_when: false args: executable: /usr/bin/bash - name: Set rke2_version_majmin fact - set_fact: + ansible.builtin.set_fact: rke2_version_majmin: "{{ rke2_version_majmin.stdout }}" - name: Set RPM version - shell: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" register: rke2_version_rpm changed_when: false args: executable: /usr/bin/bash - name: Set rke2_version_rpm fact - set_fact: + ansible.builtin.set_fact: rke2_version_rpm: "{{ rke2_version_rpm.stdout }}" - name: Describe versions - debug: + ansible.builtin.debug: msg: - "Full version: {{ rke2_full_version }}, dot version: {{ rke2_version_dot }}" - "Maj.Min version: {{ rke2_version_majmin }}, rpm version: {{ rke2_version_rpm }}" # Does the Rancher RKE2 Common repo exist already - name: Check to see if rke2-common.repo exists - stat: + ansible.builtin.stat: path: '/etc/yum.repos.d/rke2-common.repo' register: stat_rke2_common_repo # Add RKE2 Common repo if it doesn't exist - name: Add the rke2-common repo RHEL/CentOS 7 - yum_repository: + ansible.builtin.yum_repository: name: "{{ rke2_common_yum_repo.name }}" description: "{{ rke2_common_yum_repo.description }}" baseurl: "{{ rke2_common_yum_repo.baseurl }}" @@ -82,7 +84,7 @@ when: not stat_rke2_common_repo.stat.exists and ansible_lsb.major_release == '7' - name: Add the rke2-common repo RHEL/CentOS 8 - yum_repository: + ansible.builtin.yum_repository: name: "{{ rke2_common_yum_repo.name }}" description: "{{ rke2_common_yum_repo.description }}" baseurl: "{{ rke2_common_yum_repo.baseurl }}" @@ -93,13 +95,13 @@ # Does the Rancher RKE2 versioned repo exist already - name: Check to see if rke2 versioned repo exists - stat: + ansible.builtin.stat: path: '/etc/yum.repos.d/rke2-v{{ rke2_version_majmin }}.repo' # noqa var-spacing register: stat_rke2_versioned_repo # Add RKE2 versioned repo if it doesn't exist - name: Add the rke2 versioned repo CentOS/RHEL 7 - yum_repository: + ansible.builtin.yum_repository: name: "{{ rke2_versioned_yum_repo.name }}" description: "{{ rke2_versioned_yum_repo.description }}" baseurl: "{{ rke2_versioned_yum_repo.baseurl }}" @@ -109,7 +111,7 @@ when: not stat_rke2_versioned_repo.stat.exists and ansible_lsb.major_release == '7' - name: Add the rke2 versioned repo CentOS/RHEL 8 - yum_repository: + ansible.builtin.yum_repository: name: "{{ rke2_versioned_yum_repo.name }}" description: "{{ rke2_versioned_yum_repo.description }}" baseurl: "{{ rke2_versioned_yum_repo.baseurl }}" @@ -119,7 +121,7 @@ when: not stat_rke2_versioned_repo.stat.exists and ansible_lsb.major_release == '8' - name: YUM-Based | Install rke2-server - yum: + ansible.builtin.yum: name: "rke2-server-{{ rke2_version_rpm }}" state: latest # noqa package-latest when: @@ -128,7 +130,7 @@ - inventory_hostname in groups['rke2_servers'] - name: YUM-Based | Install rke2-agent - yum: + ansible.builtin.yum: name: "rke2-agent-{{ rke2_version_rpm }}" state: latest # noqa package-latest when: diff --git a/roles/rke2_common/tasks/tarball_install.yml b/roles/rke2_common/tasks/tarball_install.yml index 1c6b53bf..c6ed3c8a 100644 --- a/roles/rke2_common/tasks/tarball_install.yml +++ b/roles/rke2_common/tasks/tarball_install.yml @@ -12,13 +12,13 @@ # } - name: TARBALL | Make temp dir - tempfile: + ansible.builtin.tempfile: state: directory suffix: rke2-install.XXXXXXXXXX register: temp_dir - name: Send provided tarball if available - copy: + ansible.builtin.copy: src: "{{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" mode: '0644' @@ -28,32 +28,32 @@ when: not rke2_binary_tarball_check.stat.exists block: - name: Stop if the provided channel is not valid - fail: + ansible.builtin.fail: msg: "Provided channel is not valid" when: rke2_channel not in channels - name: TARBALL | Get full version name url - uri: + ansible.builtin.uri: url: https://update.rke2.io/v1-release/channels/{{ rke2_channel }} follow_redirects: all register: rke2_version_url - name: Set full version name - shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' + ansible.builtin.shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' register: rke2_full_version changed_when: false args: executable: /bin/bash - name: Set dot version - shell: set -o pipefail && echo {{ rke2_full_version.stdout }} | /usr/bin/cut -d'+' -f1 + ansible.builtin.shell: set -o pipefail && echo {{ rke2_full_version.stdout }} | /usr/bin/cut -d'+' -f1 register: rke2_version_dot changed_when: false args: executable: /bin/bash - name: Set Maj.Min version - shell: >- + ansible.builtin.shell: >- set -o pipefail && echo {{ rke2_full_version.stdout }} | awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" register: rke2_version @@ -62,7 +62,7 @@ executable: /bin/bash - name: Describe versions - debug: + ansible.builtin.debug: msg: - "Full version: {{ rke2_full_version.stdout }}" - "dot version: {{ rke2_version_dot.stdout }}" @@ -70,47 +70,47 @@ run_once: yes - name: TARBALL | Download the tarball - get_url: + ansible.builtin.get_url: url: https://github.com/rancher/rke2/releases/download/{{ rke2_full_version.stdout }}/rke2.linux-amd64.tar.gz dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" mode: "0644" - name: TARBALL | Check Target Mountpoint - command: mountpoint -q {{ tarball_dir }} + ansible.builtin.command: mountpoint -q {{ tarball_dir }} register: tarball_dir_stat failed_when: false changed_when: false - name: TARBALL | tarball_dir is a mountpoint setting dir to /opt/rke2 - set_fact: + ansible.builtin.set_fact: tarball_dir: "/opt/rke2" when: tarball_dir_stat.rc == 0 - name: TARBALL | Using /opt/rke2 - debug: + ansible.builtin.debug: msg: "Using /opt/rke2 for install directory" when: tarball_dir_stat.rc == 0 - name: TARBALL | Create {{ tarball_dir }} - file: + ansible.builtin.file: path: "{{ tarball_dir }}" state: directory recurse: true when: tarball_dir is defined - name: TARBALL | Install tar package - package: + ansible.builtin.package: name: tar state: present ignore_errors: true - name: TARBALL | Extract the tarball # noqa command-instead-of-module - command: + ansible.builtin.command: cmd: tar -xf "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" -C "{{ tarball_dir }}" changed_when: false - name: TARBALL | Remove the temp_dir - file: + ansible.builtin.file: path: "{{ temp_dir.path }}" state: absent when: temp_dir.path is defined @@ -136,7 +136,7 @@ replace: '{{ tarball_dir }}' - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.service" dest: /etc/systemd/system/rke2-server.service mode: '0644' @@ -147,7 +147,7 @@ - inventory_hostname in groups['rke2_servers'] - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.env" dest: /etc/systemd/system/rke2-server.env mode: '0644' @@ -158,7 +158,7 @@ - inventory_hostname in groups['rke2_servers'] - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.service" dest: /etc/systemd/system/rke2-agent.service mode: '0644' @@ -169,7 +169,7 @@ - inventory_hostname in groups.get('rke2_agents', []) - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.env" dest: /etc/systemd/system/rke2-agent.env mode: '0644' @@ -180,5 +180,5 @@ - inventory_hostname in groups.get('rke2_agents', []) - name: TARBALL | Refreshing systemd unit files - systemd: + ansible.builtin.systemd: daemon-reload: yes diff --git a/roles/rke2_server/tasks/first_server.yml b/roles/rke2_server/tasks/first_server.yml index 2eb61ef4..850124c8 100644 --- a/roles/rke2_server/tasks/first_server.yml +++ b/roles/rke2_server/tasks/first_server.yml @@ -1,7 +1,7 @@ --- - name: Add manifest files - include_role: + ansible.builtin.include_role: name: rke2_common tasks_from: add-manifest-addons.yml when: @@ -9,20 +9,20 @@ - manifest_config_file_path | length > 0 - name: Start rke2-server - systemd: + ansible.builtin.systemd: name: rke2-server state: started enabled: yes - name: Wait for k8s apiserver - wait_for: + ansible.builtin.wait_for: host: localhost port: "6443" state: present timeout: 300 - name: Wait for kubelet process to be present on host - command: >- + ansible.builtin.command: >- ps -C kubelet -F -ww --no-headers register: kubelet_check until: kubelet_check.rc == 0 @@ -31,13 +31,13 @@ changed_when: false - name: Extract the hostname-override parameter from the kubelet process # noqa var-spacing - set_fact: + ansible.builtin.set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ '\\1') }}" - name: Wait for node to show Ready status - command: >- + ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' @@ -50,14 +50,14 @@ - name: Add generated Token if none provided block: - name: Wait for node-token - wait_for: + ansible.builtin.wait_for: path: /var/lib/rancher/rke2/server/node-token - name: Read node-token from master - slurp: + ansible.builtin.slurp: src: /var/lib/rancher/rke2/server/node-token register: node_token - name: Store Master node-token - set_fact: + ansible.builtin.set_fact: rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml index 3e2008bd..fb7f4111 100644 --- a/roles/rke2_server/tasks/main.yml +++ b/roles/rke2_server/tasks/main.yml @@ -3,14 +3,14 @@ - name: RKE2 agent and server tasks vars: caller_role_name: server - include_role: + ansible.builtin.include_role: name: rke2_common tasks_from: main - name: Setup initial server - include_tasks: first_server.yml + ansible.builtin.include_tasks: first_server.yml when: inventory_hostname in groups['rke2_servers'][0] - name: Setup other servers - include_tasks: other_servers.yml + ansible.builtin.include_tasks: other_servers.yml when: inventory_hostname in groups['rke2_servers'][1:] diff --git a/roles/rke2_server/tasks/other_servers.yml b/roles/rke2_server/tasks/other_servers.yml index 8c0b636f..6c8e8d88 100644 --- a/roles/rke2_server/tasks/other_servers.yml +++ b/roles/rke2_server/tasks/other_servers.yml @@ -1,13 +1,13 @@ --- - name: Does config file already have server token? # noqa command-instead-of-shell - command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' + ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' register: server_token_check failed_when: server_token_check.rc >= 2 changed_when: false - name: Add token to config.yaml - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rancher/rke2/config.yaml line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}" state: present @@ -16,13 +16,13 @@ - '"token:" not in server_token_check.stdout' - name: Does config file already have server url? # noqa command-instead-of-shell - command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' + ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' register: server_url_check failed_when: server_url_check.rc >= 2 changed_when: false - name: Add server url to config file - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rancher/rke2/config.yaml line: "server: https://{{ kubernetes_api_server_host }}:9345" state: present @@ -34,20 +34,20 @@ throttle: 1 block: - name: Start rke2-server - systemd: + ansible.builtin.systemd: name: rke2-server state: started enabled: yes - name: Wait for k8s apiserver reachability - wait_for: + ansible.builtin.wait_for: host: "{{ kubernetes_api_server_host }}" port: "6443" state: present timeout: 300 - name: Wait for kubelet process to be present on host - command: >- + ansible.builtin.command: >- ps -C kubelet -F -ww --no-headers register: kubelet_check until: kubelet_check.rc == 0 @@ -56,13 +56,13 @@ changed_when: false - name: Extract the hostname-override parameter from the kubelet process # noqa var-spacing - set_fact: + ansible.builtin.set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ '\\1') }}" - name: Wait for node to show Ready status - command: >- + ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' From afe72073f973e8a4d8dffe89ea129a6947ca1915 Mon Sep 17 00:00:00 2001 From: Daemonslayer2048 Date: Thu, 24 Aug 2023 19:46:58 -0500 Subject: [PATCH 2/8] Resolve tag var-naming[no-role-prefix] --- roles/rke2_agent/tasks/main.yml | 2 +- roles/rke2_common/tasks/add-registry-config.yml | 4 ++-- roles/rke2_server/tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/rke2_agent/tasks/main.yml b/roles/rke2_agent/tasks/main.yml index 07654f83..1cdbe83d 100644 --- a/roles/rke2_agent/tasks/main.yml +++ b/roles/rke2_agent/tasks/main.yml @@ -2,7 +2,7 @@ - name: RKE2 agent and server tasks vars: - caller_role_name: agent + rke2_common_name: agent ansible.builtin.include_role: name: rke2_common tasks_from: main diff --git a/roles/rke2_common/tasks/add-registry-config.yml b/roles/rke2_common/tasks/add-registry-config.yml index 9af0add6..26fd9284 100644 --- a/roles/rke2_common/tasks/add-registry-config.yml +++ b/roles/rke2_common/tasks/add-registry-config.yml @@ -12,7 +12,7 @@ mode: '0640' owner: root group: root - when: caller_role_name == "server" + when: rke2_common_name == "server" notify: Restart rke2-server - name: Add registry configuration file @@ -22,5 +22,5 @@ mode: '0640' owner: root group: root - when: caller_role_name == "agent" + when: rke2_common_name == "agent" notify: Restart rke2-agent diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml index fb7f4111..64afc81b 100644 --- a/roles/rke2_server/tasks/main.yml +++ b/roles/rke2_server/tasks/main.yml @@ -2,7 +2,7 @@ - name: RKE2 agent and server tasks vars: - caller_role_name: server + rke2_common_name: server ansible.builtin.include_role: name: rke2_common tasks_from: main From eed170ba68b061e15c6f6f55955a3d0ab7d12460 Mon Sep 17 00:00:00 2001 From: Daemonslayer2048 Date: Thu, 24 Aug 2023 19:59:48 -0500 Subject: [PATCH 3/8] Resolve tag warning[outdated-tag] --- .ansible-lint | 2 +- roles/rke2_common/defaults/main.yml | 2 +- roles/rke2_common/tasks/rpm_install.yml | 6 +++--- roles/rke2_common/tasks/tarball_install.yml | 2 +- roles/rke2_server/tasks/first_server.yml | 2 +- roles/rke2_server/tasks/other_servers.yml | 4 ++-- roles/testing/tasks/kubectl_basic.yml | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 836ced00..dcd7fe9a 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -4,7 +4,7 @@ exclude_paths: - .ansible-lint warn_list: - no-handler - - var-spacing + - jinja[spacing] skip_list: - experimental - fqcn-builtins \ No newline at end of file diff --git a/roles/rke2_common/defaults/main.yml b/roles/rke2_common/defaults/main.yml index e7a261bc..71eca998 100644 --- a/roles/rke2_common/defaults/main.yml +++ b/roles/rke2_common/defaults/main.yml @@ -13,7 +13,7 @@ rke2_common_yum_repo: enabled: yes rke2_versioned_yum_repo: - name: "rke2-v{{ rke2_version_majmin }}" # noqa var-spacing + name: "rke2-v{{ rke2_version_majmin }}" # noqa jinja[spacing] description: "Rancher RKE2 Version" baseurl: "https://rpm.rancher.io/rke2/latest/{{ rke2_version_majmin }}/centos/$releasever/$basearch" gpgcheck: true diff --git a/roles/rke2_common/tasks/rpm_install.yml b/roles/rke2_common/tasks/rpm_install.yml index 5732048c..0a12a715 100644 --- a/roles/rke2_common/tasks/rpm_install.yml +++ b/roles/rke2_common/tasks/rpm_install.yml @@ -1,7 +1,7 @@ --- - name: "Calculate rke2 full version " - when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) # noqa var-spacing + when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) # noqa jinja[spacing] block: - name: Stop if the provided is not valid ansible.builtin.fail: @@ -21,7 +21,7 @@ args: executable: /usr/bin/bash -- name: Set rke2_full_version fact # noqa var-spacing +- name: Set rke2_full_version fact # noqa jinja[spacing] ansible.builtin.set_fact: rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or (install_rke2_version|length == 0)) else install_rke2_version }}" # yamllint disable-line rule:line-length @@ -96,7 +96,7 @@ # Does the Rancher RKE2 versioned repo exist already - name: Check to see if rke2 versioned repo exists ansible.builtin.stat: - path: '/etc/yum.repos.d/rke2-v{{ rke2_version_majmin }}.repo' # noqa var-spacing + path: '/etc/yum.repos.d/rke2-v{{ rke2_version_majmin }}.repo' # noqa jinja[spacing] register: stat_rke2_versioned_repo # Add RKE2 versioned repo if it doesn't exist diff --git a/roles/rke2_common/tasks/tarball_install.yml b/roles/rke2_common/tasks/tarball_install.yml index c6ed3c8a..b0ce2fc6 100644 --- a/roles/rke2_common/tasks/tarball_install.yml +++ b/roles/rke2_common/tasks/tarball_install.yml @@ -24,7 +24,7 @@ mode: '0644' when: rke2_binary_tarball_check.stat.exists -- name: Download tarball # noqa var-spacing +- name: Download tarball # noqa jinja[spacing] when: not rke2_binary_tarball_check.stat.exists block: - name: Stop if the provided channel is not valid diff --git a/roles/rke2_server/tasks/first_server.yml b/roles/rke2_server/tasks/first_server.yml index 850124c8..3f0716ed 100644 --- a/roles/rke2_server/tasks/first_server.yml +++ b/roles/rke2_server/tasks/first_server.yml @@ -30,7 +30,7 @@ delay: 10 changed_when: false -- name: Extract the hostname-override parameter from the kubelet process # noqa var-spacing +- name: Extract the hostname-override parameter from the kubelet process # noqa jinja[spacing] ansible.builtin.set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ diff --git a/roles/rke2_server/tasks/other_servers.yml b/roles/rke2_server/tasks/other_servers.yml index 6c8e8d88..b837421f 100644 --- a/roles/rke2_server/tasks/other_servers.yml +++ b/roles/rke2_server/tasks/other_servers.yml @@ -30,7 +30,7 @@ when: - '"server:" not in server_url_check.stdout' -- name: Start and wait for healthy node # noqa var-spacing +- name: Start and wait for healthy node # noqa jinja[spacing] throttle: 1 block: - name: Start rke2-server @@ -55,7 +55,7 @@ delay: 10 changed_when: false - - name: Extract the hostname-override parameter from the kubelet process # noqa var-spacing + - name: Extract the hostname-override parameter from the kubelet process # noqa jinja[spacing] ansible.builtin.set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ diff --git a/roles/testing/tasks/kubectl_basic.yml b/roles/testing/tasks/kubectl_basic.yml index f1c4bed9..bc8626f3 100644 --- a/roles/testing/tasks/kubectl_basic.yml +++ b/roles/testing/tasks/kubectl_basic.yml @@ -10,7 +10,7 @@ delay: 10 changed_when: false -- name: Extract the hostname-override parameter from the kubelet process # noqa var-spacing +- name: Extract the hostname-override parameter from the kubelet process # noqa jinja[spacing] set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ From c090781bd532c035dfbb61e51a776bd4cee6f8f9 Mon Sep 17 00:00:00 2001 From: jacob Date: Wed, 27 Sep 2023 11:43:39 -0500 Subject: [PATCH 4/8] Roll back and var changes --- roles/rke2_agent/tasks/main.yml | 2 +- roles/rke2_common/tasks/add-registry-config.yml | 4 ++-- roles/rke2_server/tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/rke2_agent/tasks/main.yml b/roles/rke2_agent/tasks/main.yml index 1cdbe83d..07654f83 100644 --- a/roles/rke2_agent/tasks/main.yml +++ b/roles/rke2_agent/tasks/main.yml @@ -2,7 +2,7 @@ - name: RKE2 agent and server tasks vars: - rke2_common_name: agent + caller_role_name: agent ansible.builtin.include_role: name: rke2_common tasks_from: main diff --git a/roles/rke2_common/tasks/add-registry-config.yml b/roles/rke2_common/tasks/add-registry-config.yml index 26fd9284..9af0add6 100644 --- a/roles/rke2_common/tasks/add-registry-config.yml +++ b/roles/rke2_common/tasks/add-registry-config.yml @@ -12,7 +12,7 @@ mode: '0640' owner: root group: root - when: rke2_common_name == "server" + when: caller_role_name == "server" notify: Restart rke2-server - name: Add registry configuration file @@ -22,5 +22,5 @@ mode: '0640' owner: root group: root - when: rke2_common_name == "agent" + when: caller_role_name == "agent" notify: Restart rke2-agent diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml index 64afc81b..fb7f4111 100644 --- a/roles/rke2_server/tasks/main.yml +++ b/roles/rke2_server/tasks/main.yml @@ -2,7 +2,7 @@ - name: RKE2 agent and server tasks vars: - rke2_common_name: server + caller_role_name: server ansible.builtin.include_role: name: rke2_common tasks_from: main From 9de6b308b7a4320993f258eabb7648a1bbb19cac Mon Sep 17 00:00:00 2001 From: jacob Date: Mon, 2 Oct 2023 13:24:16 -0500 Subject: [PATCH 5/8] Fix FQCN lint --- .ansible-lint | 3 +-- ansible.cfg | 4 +-- roles/rke2_common/handlers/main.yml | 6 ++--- .../tasks/calculate_rke2_version.yml | 25 +++++++++++-------- roles/rke2_common/tasks/config.yml | 4 +-- roles/rke2_common/tasks/main.yml | 8 +++--- roles/rke2_common/tasks/previous_install.yml | 8 +++--- roles/rke2_common/tasks/rpm_install.yml | 8 +++--- roles/rke2_common/tasks/tarball_install.yml | 24 +++++++++--------- roles/rke2_server/tasks/first_server.yml | 2 +- roles/rke2_server/tasks/other_servers.yml | 2 +- roles/testing/tasks/basic_tests.yml | 2 +- roles/testing/tasks/kubectl_basic.yml | 8 +++--- roles/testing/tasks/main.yml | 8 +++--- roles/testing/tasks/manifest_test.yml | 8 +++--- roles/testing/tasks/troubleshooting.yml | 12 ++++----- 16 files changed, 67 insertions(+), 65 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 8d4982ed..32dfeadd 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -7,5 +7,4 @@ warn_list: - var-spacing - var-naming skip_list: - - experimental - - fqcn-builtins \ No newline at end of file + - experimental \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg index 5162ab34..05f5fba8 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,7 +1,7 @@ [defaults] nocows = True roles_path = ./roles -inventory = ./inventory/my-cluster/hosts.ini +inventory = ./inventory/hosts.ini remote_tmp = $HOME/.ansible/tmp local_tmp = $HOME/.ansible/tmp @@ -11,4 +11,4 @@ pipelining = True host_key_checking = False deprecation_warnings = False callback_whitelist = profile_roles, timer -display_skipped_hosts = no \ No newline at end of file +display_skipped_hosts = no diff --git a/roles/rke2_common/handlers/main.yml b/roles/rke2_common/handlers/main.yml index 65fbca28..4f823682 100644 --- a/roles/rke2_common/handlers/main.yml +++ b/roles/rke2_common/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: Restart systemd-sysctl - service: + ansible.builtin.service: state: restarted name: systemd-sysctl - name: Restart rke2-server - service: + ansible.builtin.service: state: restarted name: rke2-server - name: Restart rke2-agent - service: + ansible.builtin.service: state: restarted name: rke2-agent diff --git a/roles/rke2_common/tasks/calculate_rke2_version.yml b/roles/rke2_common/tasks/calculate_rke2_version.yml index 0cc4e97d..783484a9 100644 --- a/roles/rke2_common/tasks/calculate_rke2_version.yml +++ b/roles/rke2_common/tasks/calculate_rke2_version.yml @@ -4,63 +4,66 @@ when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) block: - name: Stop if the provided is not valid - fail: + ansible.builtin.fail: msg: "Provided channel is not valid" when: rke2_channel not in channels - name: Get full version name url - uri: + ansible.builtin.uri: url: https://update.rke2.io/v1-release/channels/{{ rke2_channel }} follow_redirects: safe remote_src: true register: rke2_version_url - name: Set full version name - shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' + ansible.builtin.shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' register: rke2_full_version changed_when: false args: executable: /usr/bin/bash - name: Set rke2_full_version fact - set_fact: + ansible.builtin.set_fact: rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or (install_rke2_version|length == 0)) else install_rke2_version }}" # yamllint disable-line rule:line-length - name: Set dot version - shell: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 register: rke2_version_dot_tmp changed_when: false args: executable: /usr/bin/bash - name: Set rke2_version_dot fact - set_fact: + ansible.builtin.set_fact: rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}" - name: Set Maj.Min version - shell: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" register: rke2_version_majmin_tmp changed_when: false args: executable: /usr/bin/bash - name: Set rke2_version_majmin fact - set_fact: + ansible.builtin.set_fact: rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" - name: Set RPM version - shell: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" register: rke2_version_rpm_tmp changed_when: false args: executable: /usr/bin/bash - name: Set rke2_version_rpm fact - set_fact: + ansible.builtin.set_fact: rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" - name: Describe versions - debug: + ansible.builtin.debug: msg: - "Full version, with revision indication: {{ rke2_full_version }}" - "Version without revision indication: {{ rke2_version_dot }}" diff --git a/roles/rke2_common/tasks/config.yml b/roles/rke2_common/tasks/config.yml index 796ac7a2..db7758b1 100644 --- a/roles/rke2_common/tasks/config.yml +++ b/roles/rke2_common/tasks/config.yml @@ -260,7 +260,7 @@ changed_when: false - name: Restart rke2-server if package installed and config changed or RKE2 version changed - service: + ansible.builtin.service: state: restarted name: rke2-server when: @@ -269,7 +269,7 @@ - (tmp_sha1 != previous_rke2_config.stat.checksum or (rke2_version_changed | default(false))) - name: Restart rke2-agent if package installed and config changed or RKE2 version changed - service: + ansible.builtin.service: state: restarted name: rke2-agent when: diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml index b688f3b5..56840b3c 100644 --- a/roles/rke2_common/tasks/main.yml +++ b/roles/rke2_common/tasks/main.yml @@ -11,17 +11,17 @@ ansible.builtin.include_tasks: previous_install.yml - name: Include images_tarball_install.yml - include_tasks: images_tarball_install.yml + ansible.builtin.include_tasks: images_tarball_install.yml - name: "Check for binary tarball in tarball_install/rke2.linux-amd64.tar.gz" - stat: + ansible.builtin.stat: path: "{{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" register: rke2_binary_tarball_check delegate_to: 127.0.0.1 become: false - name: Include calculate_rke2_version.yml - include_tasks: calculate_rke2_version.yml + ansible.builtin.include_tasks: calculate_rke2_version.yml when: not rke2_binary_tarball_check.stat.exists - name: SLES/Ubuntu/Tarball Installation @@ -36,7 +36,7 @@ when: - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - not rke2_binary_tarball_check.stat.exists - include_tasks: rpm_install.yml + ansible.builtin.include_tasks: rpm_install.yml # Disable Firewalld # We recommend disabling firewalld. For Kubernetes 1.19+, firewalld must be turned off. diff --git a/roles/rke2_common/tasks/previous_install.yml b/roles/rke2_common/tasks/previous_install.yml index 9699ae79..80df3a00 100644 --- a/roles/rke2_common/tasks/previous_install.yml +++ b/roles/rke2_common/tasks/previous_install.yml @@ -1,7 +1,7 @@ --- - name: Check if rke2-server is previously installed - ansible.builtin.ansible.builtin.debug: + ansible.builtin.debug: msg: "rke2-server is already installed. Skipping installation steps." when: > ansible_facts.services["rke2-server.service"] is defined @@ -29,12 +29,12 @@ and not ansible_facts.services["rke2-agent.service"].status == 'disabled' - name: Check for the rke2 binary - stat: + ansible.builtin.stat: path: /usr/local/bin/rke2 register: rke2_binary - name: Get current RKE2 version if already installed - shell: set -o pipefail && /usr/local/bin/rke2 -v | head -n 1 | cut -d ' ' -f 3 + ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | head -n 1 | cut -d ' ' -f 3 register: installed_rke2_version_tmp changed_when: false args: @@ -42,6 +42,6 @@ when: rke2_binary.stat.exists - name: Determine if current version differs what what is being installed - set_fact: + ansible.builtin.set_fact: installed_rke2_version: "{{installed_rke2_version_tmp.stdout}}" when: rke2_binary.stat.exists diff --git a/roles/rke2_common/tasks/rpm_install.yml b/roles/rke2_common/tasks/rpm_install.yml index c37084c2..237a73ca 100644 --- a/roles/rke2_common/tasks/rpm_install.yml +++ b/roles/rke2_common/tasks/rpm_install.yml @@ -8,7 +8,7 @@ # Add RKE2 Common repo if it doesn't exist - name: Add the rke2-common repo RHEL/CentOS/Rocky - yum_repository: + ansible.builtin.yum_repository: name: "{{ rke2_common_yum_repo.name }}" description: "{{ rke2_common_yum_repo.description }}" baseurl: "{{ rke2_common_yum_repo.baseurl }}" @@ -18,7 +18,7 @@ when: not stat_rke2_common_repo.stat.exists and ansible_lsb.major_release == '7' - name: Add the rke2-common repo RHEL/CentOS 8 - yum_repository: + ansible.builtin.yum_repository: name: "{{ rke2_common_yum_repo.name }}" description: "{{ rke2_common_yum_repo.description }}" baseurl: "{{ rke2_common_yum_repo.baseurl }}" @@ -29,13 +29,13 @@ # Does the Rancher RKE2 versioned repo exist already - name: Check to see if rke2 versioned repo exists - stat: + ansible.builtin.stat: path: '/etc/yum.repos.d/rke2-v{{ rke2_version_majmin }}.repo' register: stat_rke2_versioned_repo # Add RKE2 versioned repo if it doesn't exist - name: Add the rke2 versioned repo CentOS/RHEL/Rocky - yum_repository: + ansible.builtin.yum_repository: name: "{{ rke2_versioned_yum_repo.name }}" description: "{{ rke2_versioned_yum_repo.description }}" baseurl: "{{ rke2_versioned_yum_repo.baseurl }}" diff --git a/roles/rke2_common/tasks/tarball_install.yml b/roles/rke2_common/tasks/tarball_install.yml index 3ce7ec3f..3c97726f 100644 --- a/roles/rke2_common/tasks/tarball_install.yml +++ b/roles/rke2_common/tasks/tarball_install.yml @@ -25,14 +25,14 @@ when: rke2_binary_tarball_check.stat.exists - name: Determine if current version differs what what is being installed - set_fact: + ansible.builtin.set_fact: rke2_version_changed: true when: - not rke2_binary_tarball_check.stat.exists - not installed or installed_rke2_version != rke2_full_version - name: TARBALL | Download the tarball - get_url: + ansible.builtin.get_url: url: https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-amd64.tar.gz dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" mode: "0644" @@ -41,7 +41,7 @@ - rke2_version_changed - name: TARBALL | Install tar package - package: + ansible.builtin.package: name: tar state: present ignore_errors: true # noqa ignore-errors @@ -57,18 +57,18 @@ remote_src: true - name: Get tarball RKE2 version from temp location - shell: set -o pipefail && {{ temp_dir.path }}/bin/rke2 -v | head -n 1 | cut -d ' ' -f 3 + ansible.builtin.shell: set -o pipefail && {{ temp_dir.path }}/bin/rke2 -v | head -n 1 | cut -d ' ' -f 3 register: tarball_rke2_version_tmp changed_when: false args: executable: /usr/bin/bash - name: Set tarball RKE2 version var - set_fact: + ansible.builtin.set_fact: tarball_rke2_version: "{{tarball_rke2_version_tmp.stdout}}" - name: Determine if current version differs what what is being installed - set_fact: + ansible.builtin.set_fact: rke2_version_changed: true when: - not installed or installed_rke2_version != tarball_rke2_version @@ -126,7 +126,7 @@ replace: '{{ tarball_dir }}' - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.service" dest: /etc/systemd/system/rke2-server.service mode: '0644' @@ -137,7 +137,7 @@ - inventory_hostname in groups['rke2_servers'] - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.env" dest: /etc/systemd/system/rke2-server.env mode: '0644' @@ -148,7 +148,7 @@ - inventory_hostname in groups['rke2_servers'] - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.service" dest: /etc/systemd/system/rke2-agent.service mode: '0644' @@ -159,7 +159,7 @@ - inventory_hostname in groups.get('rke2_agents', []) - name: TARBALL | Moving Systemd units to /etc/systemd/system - copy: + ansible.builtin.copy: src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.env" dest: /etc/systemd/system/rke2-agent.env mode: '0644' @@ -170,11 +170,11 @@ - inventory_hostname in groups.get('rke2_agents', []) - name: TARBALL | Refreshing systemd unit files - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: Remove the temp_dir - file: + ansible.builtin.file: path: "{{ temp_dir.path }}" state: absent when: temp_dir.path is defined diff --git a/roles/rke2_server/tasks/first_server.yml b/roles/rke2_server/tasks/first_server.yml index dcc77dd9..0b85d8a6 100644 --- a/roles/rke2_server/tasks/first_server.yml +++ b/roles/rke2_server/tasks/first_server.yml @@ -31,7 +31,7 @@ changed_when: false - name: Extract the hostname-override parameter from the kubelet process - set_fact: + ansible.builtin.set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ '\\1') }}" diff --git a/roles/rke2_server/tasks/other_servers.yml b/roles/rke2_server/tasks/other_servers.yml index 22e89d20..dce57c49 100644 --- a/roles/rke2_server/tasks/other_servers.yml +++ b/roles/rke2_server/tasks/other_servers.yml @@ -56,7 +56,7 @@ changed_when: false - name: Extract the hostname-override parameter from the kubelet process - set_fact: + ansible.builtin.set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ '\\1') }}" diff --git a/roles/testing/tasks/basic_tests.yml b/roles/testing/tasks/basic_tests.yml index 8244d4c3..5eb79a40 100644 --- a/roles/testing/tasks/basic_tests.yml +++ b/roles/testing/tasks/basic_tests.yml @@ -13,7 +13,7 @@ register: test_is_selinux_true - name: Assertions - assert: + ansible.builtin.assert: that: - test_rke2_config_file.stat.exists - not test_is_selinux_true.failed diff --git a/roles/testing/tasks/kubectl_basic.yml b/roles/testing/tasks/kubectl_basic.yml index bc8626f3..a73cb3a5 100644 --- a/roles/testing/tasks/kubectl_basic.yml +++ b/roles/testing/tasks/kubectl_basic.yml @@ -2,7 +2,7 @@ - name: Ensure kubelet process is present on host - command: >- + ansible.builtin.command: >- ps -C kubelet -F -ww --no-headers register: kubelet_check until: kubelet_check.rc == 0 @@ -11,14 +11,14 @@ changed_when: false - name: Extract the hostname-override parameter from the kubelet process # noqa jinja[spacing] - set_fact: + ansible.builtin.set_fact: kubelet_hostname_override_parameter: "{{ kubelet_check.stdout |\ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ '\\1') }}" changed_when: false - name: Are all nodes in Ready state? - command: >- + ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' @@ -30,6 +30,6 @@ changed_when: false - name: Assertions - assert: + ansible.builtin.assert: that: - "'True' in status_result.stdout" diff --git a/roles/testing/tasks/main.yml b/roles/testing/tasks/main.yml index 2bb63183..9a2f53f7 100644 --- a/roles/testing/tasks/main.yml +++ b/roles/testing/tasks/main.yml @@ -1,16 +1,16 @@ --- - name: Basic Infra tests - include_tasks: basic_tests.yml + ansible.builtin.include_tasks: basic_tests.yml - name: Manifest test - include_tasks: manifest_test.yml + ansible.builtin.include_tasks: manifest_test.yml when: inventory_hostname in groups['rke2_servers'][0] - name: Basic kubectl tests - include_tasks: kubectl_basic.yml + ansible.builtin.include_tasks: kubectl_basic.yml - name: Troubleshooting - include_tasks: troubleshooting.yml + ansible.builtin.include_tasks: troubleshooting.yml tags: - troubleshooting diff --git a/roles/testing/tasks/manifest_test.yml b/roles/testing/tasks/manifest_test.yml index f6386244..4bc5ebf1 100644 --- a/roles/testing/tasks/manifest_test.yml +++ b/roles/testing/tasks/manifest_test.yml @@ -9,15 +9,15 @@ mode: '0644' - name: Announce that we are pausing for 1 minute - debug: + ansible.builtin.debug: msg: "Pausing for 1 minute to allow for Pod deployment" - name: Pause for 1 minutes to allow Pod deployment - pause: + ansible.builtin.pause: minutes: 1 - name: Did the Pod deploy as expected? - command: >- + ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get pod automated-testing-pod -o jsonpath='{.status.phase}' @@ -26,6 +26,6 @@ changed_when: false - name: Assertions - assert: + ansible.builtin.assert: that: - "'Running' in status_result.stdout" diff --git a/roles/testing/tasks/troubleshooting.yml b/roles/testing/tasks/troubleshooting.yml index 5ac431e4..9314e250 100644 --- a/roles/testing/tasks/troubleshooting.yml +++ b/roles/testing/tasks/troubleshooting.yml @@ -1,7 +1,7 @@ --- - name: Show journalctl -e - command: >- + ansible.builtin.command: >- journalctl -e --lines 200 --no-pager changed_when: false register: command_output @@ -10,14 +10,14 @@ ignore_errors: true - name: Show journalctl -e - debug: + ansible.builtin.debug: var: command_output.stdout_lines tags: - troubleshooting ignore_errors: true - name: Show journalctl -ue rke2-server - command: >- + ansible.builtin.command: >- journalctl -eu rke2-server --lines 200 --no-pager changed_when: false register: command_output @@ -26,14 +26,14 @@ ignore_errors: true - name: Show journalctl -ue rke2-server - debug: + ansible.builtin.debug: var: command_output.stdout_lines tags: - troubleshooting ignore_errors: true - name: Show rke2 config file - command: >- + ansible.builtin.command: >- cat /etc/rancher/rke2/config.yaml changed_when: false register: command_output @@ -42,7 +42,7 @@ ignore_errors: true - name: Show rke2 config file - debug: + ansible.builtin.debug: var: command_output.stdout_lines tags: - troubleshooting From 96747e40e18f08fcab18e4b4f9e397221411142e Mon Sep 17 00:00:00 2001 From: jacob Date: Mon, 2 Oct 2023 14:01:38 -0500 Subject: [PATCH 6/8] Rolling back some bad/unnecessary changes --- ansible.cfg | 2 +- roles/rke2_common/tasks/rpm_install.yml | 17 +++++------------ 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 05f5fba8..8570c43b 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,7 +1,7 @@ [defaults] nocows = True roles_path = ./roles -inventory = ./inventory/hosts.ini +inventory = ./inventory/my-cluster/hosts.ini remote_tmp = $HOME/.ansible/tmp local_tmp = $HOME/.ansible/tmp diff --git a/roles/rke2_common/tasks/rpm_install.yml b/roles/rke2_common/tasks/rpm_install.yml index 237a73ca..e64badb2 100644 --- a/roles/rke2_common/tasks/rpm_install.yml +++ b/roles/rke2_common/tasks/rpm_install.yml @@ -15,17 +15,10 @@ gpgcheck: "{{ rke2_common_yum_repo.gpgcheck }}" gpgkey: "{{ rke2_common_yum_repo.gpgkey }}" enabled: "{{ rke2_common_yum_repo.enabled }}" - when: not stat_rke2_common_repo.stat.exists and ansible_lsb.major_release == '7' - -- name: Add the rke2-common repo RHEL/CentOS 8 - ansible.builtin.yum_repository: - name: "{{ rke2_common_yum_repo.name }}" - description: "{{ rke2_common_yum_repo.description }}" - baseurl: "{{ rke2_common_yum_repo.baseurl }}" - gpgcheck: "{{ rke2_common_yum_repo.gpgcheck }}" - gpgkey: "{{ rke2_common_yum_repo.gpgkey }}" - enabled: "{{ rke2_common_yum_repo.enabled }}" - when: not stat_rke2_common_repo.stat.exists and ansible_lsb.major_release == '8' + when: + - not stat_rke2_common_repo.stat.exists + - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == "Rocky" + - ansible_facts['distribution_major_version'] == "7" or ansible_facts['distribution_major_version'] == "8" # Does the Rancher RKE2 versioned repo exist already - name: Check to see if rke2 versioned repo exists @@ -63,4 +56,4 @@ when: - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' - not rke2_binary_tarball_check.stat.exists - - inventory_hostname in groups.get('rke2_agents', []) + - inventory_hostname in groups.get('rke2_agents', []) \ No newline at end of file From b6b1fde540c0b1e1d9afb5ac20c3201a83aea388 Mon Sep 17 00:00:00 2001 From: jacob Date: Mon, 2 Oct 2023 14:08:45 -0500 Subject: [PATCH 7/8] Add missing newline at end of file for yamllint --- roles/rke2_common/tasks/rpm_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rke2_common/tasks/rpm_install.yml b/roles/rke2_common/tasks/rpm_install.yml index e64badb2..68905d30 100644 --- a/roles/rke2_common/tasks/rpm_install.yml +++ b/roles/rke2_common/tasks/rpm_install.yml @@ -56,4 +56,4 @@ when: - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' - not rke2_binary_tarball_check.stat.exists - - inventory_hostname in groups.get('rke2_agents', []) \ No newline at end of file + - inventory_hostname in groups.get('rke2_agents', []) From c29b2135af2a9ccbaf84c516d048d0e370abfecd Mon Sep 17 00:00:00 2001 From: jacob Date: Mon, 2 Oct 2023 15:56:27 -0500 Subject: [PATCH 8/8] Add CIS task fix from #154 and #153. Prevent etcd user home creation --- roles/rke2_common/tasks/cis-hardening.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rke2_common/tasks/cis-hardening.yml b/roles/rke2_common/tasks/cis-hardening.yml index 13d2b58b..634661d1 100644 --- a/roles/rke2_common/tasks/cis-hardening.yml +++ b/roles/rke2_common/tasks/cis-hardening.yml @@ -15,6 +15,7 @@ comment: etcd user shell: /bin/nologin group: etcd + create_home: false - name: Copy systemctl file for kernel hardening for yum installs ansible.builtin.copy: